[krbdev.mit.edu #9044] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Wed Jan 12 14:38:47 EST 2022
Wed Jan 12 14:38:47 2022: Request 9044 was acted upon.
Transaction: Ticket created by ghudson at mit.edu
Queue: krb5
Subject: git commit
Owner: ghudson at mit.edu
Requestors:
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9044 >
Replace AD-SIGNEDPATH with minimal PACs
Remove all of the AD-SIGNEDPATH code. Instead, issue a signed minimal
PAC in all tickets and require a valid PAC to be present in all
tickets presented for S4U operations. Remove the get_authdata_info()
and sign_authdata() DAL methods, and add an issue_pac() method to
allow the KDB to add or copy buffers to the PAC. Add a disable_pac
realm flag.
Microsoft revised the S4U2Proxy rules for forwardable tickets. All
S4U2Proxy operations require forwardable evidence tickets, but
S4U2Self should issue a forwardable ticket if the requesting service
has no ok-to-auth-as-delegate bit but also no constrained delegation
privileges for traditional S4U2Proxy. Implement these rules,
extending the check_allowed_to_delegate() DAL method so that the KDC
can ask if a principal has any delegation privileges.
Combine the KRB5_KDB_FLAG_ISSUE_PAC and
KRB5_FLAG_CLIENT_REFERRALS_ONLY flags into KRB5_KDB_FLAG_CLIENT.
Rename the KRB5_KDB_FLAG_CANONICALIZE flag to
KRB5_KDB_FLAG_REFERRAL_OK, and only pass it to get_principal() for
lookup operations that can use a realm referral.
For consistency with Active Directory, honor the no-auth-data-required
server principal flag for S4U2Proxy but not for S4U2Self. Previously
we did the reverse.
https://github.com/krb5/krb5/commit/a441fbe329ebbd7775eb5d4ccc4a05eef370f08b
Author: Greg Hudson <ghudson at mit.edu>
Commit: a441fbe329ebbd7775eb5d4ccc4a05eef370f08b
Branch: master
doc/admin/conf_files/kdc_conf.rst | 6 +
src/include/k5-int.h | 26 +-
src/include/kdb.h | 330 ++++++---------
src/kdc/do_as_req.c | 33 +-
src/kdc/do_tgs_req.c | 131 +++---
src/kdc/kdc_authdata.c | 651 ++++++++-------------------
src/kdc/kdc_util.c | 221 +++++++---
src/kdc/kdc_util.h | 64 ++-
src/kdc/main.c | 5 +
src/kdc/realm_data.h | 1 +
src/kdc/tgs_policy.c | 222 ++++++++--
src/lib/kdb/kdb5.c | 99 +----
src/lib/kdb/libkdb5.exports | 4 +-
src/lib/krb5/asn.1/asn1_k_encode.c | 30 --
src/lib/krb5/krb/Makefile.in | 5 +-
src/lib/krb5/krb/authdata.c | 1 -
src/lib/krb5/krb/deps | 12 -
src/lib/krb5/krb/kfree.c | 18 -
src/lib/krb5/krb/s4u_authdata.c | 598 ------------------------
src/lib/krb5/libkrb5.exports | 4 -
src/plugins/kdb/db2/db2_exp.c | 13 +-
src/plugins/kdb/ldap/ldap_exp.c | 1 -
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c | 4 +-
src/plugins/kdb/test/kdb_test.c | 530 ++++------------------
src/tests/asn.1/krb5_decode_leak.c | 10 -
src/tests/asn.1/krb5_decode_test.c | 8 -
src/tests/asn.1/krb5_encode_test.c | 17 -
src/tests/asn.1/ktest.c | 55 ---
src/tests/asn.1/ktest.h | 4 -
src/tests/asn.1/ktest_equal.c | 28 --
src/tests/asn.1/ktest_equal.h | 4 -
src/tests/asn.1/reference_encode.out | 2 -
src/tests/asn.1/trval_reference.out | 49 --
src/tests/gssapi/t_s4u.py | 20 +-
src/tests/t_authdata.py | 76 +---
35 files changed, 957 insertions(+), 2325 deletions(-)
More information about the krb5-bugs
mailing list